To protect computing devices, and their users, from executing computer-executable instructions that may be malicious or otherwise cause unintended or unexpected consequences, a “software restriction policy” can be implemented, whereby only pre-approved computer-executable instructions are allowed to execute on the computing device. Traditionally, an administrator of a computing device can pre-select which files, comprising computer-executable instructions, will be allowed to execute on the computing device. Thus, for example, an administrator may decide to allow only specific word processing and spreadsheet applications to execute on a computing device. Such a decision by the administrator, implemented via a software restriction policy, can, not only prevent users of such a computing device from inadvertently, or intentionally, executing malicious computer-executable instructions, but it can also prevent users from executing improper computer-executable instructions, such as games or entertainment-focused computer-executable instructions.
Traditionally, software restriction policies are defined, by an administrator, by using a file-by-file approach. Specifically, the administrator manually selects which files, comprising computer-executable instructions, are to be allowed to execute and, by definition, all of the files not included will be denied the ability to execute on the computing device implementing the software restriction policy. Unfortunately, many modern software applications comprise dozens of files with executable instructions, all of which need to be allowed to execute in order for the overall software application to execute properly. If an administrator inadvertently does not include one or more such executable files in the software restriction policy, the overall software application may not execute properly. Thus, a potentially substantial amount of trial-and-error may be required on the part of the administrator to create a software restriction policy that is “complete.” Alternatively, if the administrator errs by including too many files, the software restriction policy may not provide the security that was intended. Such a software restriction policy may be complete, but it may not be “correct” given the administrator's needs and intentions.